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Abstract. The proposed framework provides a general model of con- 
current imperative programming. Programs are modeled as formal lan- 
guages and concurrency as an interleaving (or shuffle) operator. This 
yields a simple and elegant algebra of programs. The framework sup- 
ports the views program logic by Dinsdale- Young and others, which gen- 
eralizes various type systems and separation logic approaches to program 
1 correctness. It also validates familiar operational calculi in small-step and 

X^/y ■ big-step flavours. The consistency of the program logic with respect to 

the operational rules is established directly and does not use induction 
on derivations. In fact the whole framework uses only straightforward 
mathematics. Parametric in states, views and basic commands, it can be 
instantiated to a variety of concrete languages and settings. 

Keywords: semantics, formal languages, concurrency, programming cal- 
culi, views 

1 Introduction 

A mathematical theory of programming makes it possible to reason about pro- 
grams and their behaviour in a rigorous way. It abstracts from irrelevant de- 
tail, but must still be concrete enough to support all the programming features 
of interest. For example, modeling programs as binary relations on states (i.e. 
a program is a set of input-output state pairs) yields a simple and powerful 
framework for sequential programming. Although it supports reasoning about 
nondetcrministic choice, for example, it abstracts too aggressively to facilitate a 
compositional treatment of interfering concurrency. 

The framework of this paper was inspired by recent work in algebraic seman- 
tics and the unification of programming calculi [1 2 3 4 5 6] . It models programs 
as (formal) languages over usually infinite alphabets, which makes it possible to 
model concurrent composition with an interleaving (or shuffle) operator. Lan- 
guages with interleaving have a simple and elegant algebra that is familiar to 
many computer scientists. In addition to algebraic reasoning, the paper shows 
that they also support various deductive and operational calculi of programming. 

The framework is parametric in a set of computational states. It provides 
common programming operators such as sequential composition, nondetcrmin- 
istic choice, iteration and concurrency, which can be combined to model con- 
structs of high-level languages such as if-statements and while-loops. Deductive 



(i.e. Hoare-style) reasoning conies for free, and requires only a decision about 
which views [B] to use. Views are abstractions of computational states, and many 
type systems and separation logic approaches for reasoning about concurrency 
can be understood in terms of them. By representing states and views as lan- 
guages, the framework can define the judgement of the views calculus in terms 
of language operators and relations. It then simple to see why views reasoning 
works - the proofs that its rules hold as theorems explain every little detail. 

The framework also supports operational calculi, in small-step and big-step 
flavours, for reasoning about program execution. The small-step calculi are para- 
metric in a set of primitive atomic operations that are easy to implement in a 
machine. The judgements of the small-step calculi are defined in terms of this 
set, the language representation of states, and familiar language operators and 
relations. It is straightforward to prove that the usual operational rules, which 
show how a computation can proceed in small steps, hold as theorems. The 
treatment of big-step calculi is similar but simpler, because they describe only 
the overall result of a computation. 

The fact that all judgements have a clear and succinct mathematical meaning 
makes it straightforward to establish relationships among them. For example, it 
is possible to show that a deductive calculus is consistent with an operational one 
without embarking on tedious induction proofs involving derivations with partic- 
ular sets of rules. The consistency covers any operational rule that is a theorem, 
and there is no need to revise the proof when new rules, such as optimizations, 
are adopted. The consistency is also parametric in the chosen computational 
states, views, and the primitive atomic operations used in execution. 

The simplicity of the mathematics will hopefully encourage researchers and 
practitioners to use the framework for reasoning about high-level languages. The 
framework could also be useful for investigating and justifying new deductive 
approaches, program transformations, and operational calculi. 

All theorems of this paper have been machine-checked with Isabelle/HOL. A 
proof script is available online [7J . 

Outline Section [2] summarizes the definition, operators and algebraic laws of 
languages. Section [3] outlines abstract calculi that follow from the algebraic laws. 
Section 0] covers concepts that are common to the deductive calculi in section [5] 
and the operational calculi in section [6j The consistency of the deductive and 
operational calculi follows in section [71 and section [5] concludes. A treatment of 
recursion appears as an appendix. 

2 Languages and laws 

Formal languages offer a simple and expressive formalism for modeling programs, 
designs and specifications. They are central to the framework; this section sum- 
marizes their basic definitions, operators and algebraic laws. 

An alphabet is a set. A word over an alphabet A is a finite sequence of 
elements from A. A set of words over an alphabet form a language. The languages 
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over an alphabet A, being subsets of the set of all words over A, form a complete 
Boolean algebra. The intended alphabet will always be clear from the context, 
and is omitted only when the results hold for an arbitrary alphabet. There are 
several lattice-theoretic constants and operators, for example: 

• _L is the empty language {}. 

• T is the language consisting of all words. 

• [jX is the least upper bound of the set of languages X, and (U) its binary 
variant. 

• P| X is the greatest lower bound of languages in X, and (n) its binary variant. 
Languages also support several other operators that are familiar. In particular: 

• skip is the language consisting only of the empty word: 

skip d = {[]} 

• (;) is the language concatenation operator: 

P;Q d = {p+hq\ P eP & qeQ} 

• The Kleene star operator concatenates its argument zero or more times: 

P* d = \J{P n heN} 

where 

P° = skip 

pk+1 d JL f p . pk 

• (||) is the language interleaving (or shuffle) operator: 
P || Q = f \J{p®q\p€P & qeQ} 

Here p ® q denotes the set of all intcrlcavings of the words p and q. It can 
be defined recursively as follows: 

0®<7 = to 

_ n def r i 

p g> D = M 

(e : p) <g> (e' : q) A = {e : r \ r £ p ® [e! : q)} U {e' : r \ r 6 (e : p) ® q} 

Languages have a rich algebra that simplifies formal reasoning. Some basic 
properties of the operators appear in Table [TJ 
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Commutative 


yes 
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no 


yes 
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yes 


yes 


yes 


Idempotent 


yes 


yes 


no 


no 


Unit 


_L 
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skip 


skip 


Zero 
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_L 


_L 


± 



Table 1. Basic properties of the operators. 



Since (P(T), U, ;, *, _L, skip) is a Kleene algebra [5], all the usual laws and iden- 
tities hold as theorems. For example, the Kleene star is monotone and satisfies 
the following laws: 
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• skipU(P;P*) C P* 

• PU(Q;P)CP =^> Q*;PCP 



• skip U (P* ; P) C P* 

• PU(R;Q)CR P;Q*CR 

All the binary operators distribute through (U) and are consequently mono- 
tone. A stronger statement is true for o g {n, ;, ||}: 

• P°(UX) = \J{PoQ\QeX} 

• ({JX)oP = [J{QoP\QeX} 

The same holds for o = U when X is not empty. In fact it is known that 
(P(T),U,_L, ||, ;, skip) is a concurrent Kleene algebra and hence (;) and (||) 
interact as follows (the properties also appear in [3] as Proposition 5.3 and 
Corollary 5.4): 

. (P|| Q);(R\\ S)C(P;R) || (Q;S) 

• P;(Q II R)Q(P;Q) \\R 
. (P|| Q);RCP\\ (Q;R) 

• P;Qcp|| q 

In summary, the languages with interleaving satisfy all the laws of program- 
ming mentioned in [31415] . 

3 Abstract calculi 

The laws yield abstract versions of several familiar calculi of programming, as 
discussed in |2|3|4|5| . The framework will later instantiate selected rules of the 
abstract calculi to obtain concrete calculi. 

3.1 Hoare logic 

The abstract Hoare triple is defined as follows: 
P{Q}R d = P;QCR 

Rules of abstract Hoare logic follow as theorems from the algebra: 
(Hskip) P{sktp}P 

(Hseq) P{Q}R & R{Q'}S => P{Q;Q'}S 

(Hchoicc) (VQ € X : P {Q} R) =*> P{{JX}R 

(Hiter) P{Q}P => P{Q*}P 

(Hcons) P' C P & P {Q} P & R C P' => P' {Q} P' 

(Hdisj) (VPeX:P{Q}P) [JX{Q}R 

The next rules, although interesting, are not used in the sequel. 

(Hconj) P{Q}R & P'{Q'}R' => P n P' {Q n Q'} P n P' 

(Hframe) P{Q}P => P||P{Q}Pj|P 

(Hconc) P{Q}R & P'{g'}P' => P \\ P' {Q \\ Q'} R \\ R' 
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3.2 Plotkin calculus 

The basic judgement of the abstract small-step calculus of Plotkin is defined in 
terms of a set of languages called Actions. The only requirement on Actions is 
that it includes skip. 



(P, s) — > (P', s') = 3Q £ Actions : P D Q ; P' & s;QDs' 
Several rules hold as theorems: 

(Paction) P £ Actions & s' C s ; P => (P, s) — ► (skip, s') 

(Pseql) (skip;P,s) — > (P, s) 

(Pseq2) (P, s) — ► (R, s') => (P;P',s)^(R;P',s') 

(Pchoice) Pel => (\JX,s) — > (P, s) 

(Piterl) (P*, s) — > (skip, s) 

(Pitcr2) (P*, s) — ► (P;P*, s) 

(Pconcl) (skip \\ P, s) — > (P, s) 

(Pconc2) (P || skip, s) — > (P, s) 

(Pconc3) (P, s) — > (R, s') => (P \\ P' , s) — > (R \\ P', s'} 

(Pconc4) (P, s) — > (R, s) => (P' \\ P, s) — > (P' \\ R, s') 



3.3 Milner calculus 

While the Plotkin calculus hides actions, the abstract Milner calculus makes 
them explicit: 

P R d = Q e Actions & P D Q ; R 
The abstract Milner rules include: 



(Maction) P £ Actions => P — > skip 

(Mseql) skip;P^P 

(Mseq2) P A P P-P' -%R-P' 

(Mchoicc) PeX [jx^P 

(Miterl) P* ^% skip 

(Mitcr2) p* f^p.p* 

(Mconcl) skip \\P^P 

(Mconc2) P || skip ^ P 

(Mconc3) P A P => P || P' A P || P' 

(Mconc4) P R => P' || P P' || P 
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3.4 Kahn calculus 



The abstract Kahn calculus is a big-step operational calculus. Consequently, its 
judgement does not mention actions: 

(P, s) — ► s' = f s ; P D «' 

It is a big-step calculus with several rules: 

(Kskip) {skip, s) — ► s 

(Kseq) (P, s) — > s' & (P', s') — > s" (P ; P', s> — > s" 

(Kchoice) Pel & (P, s) — > s' => (\JX, s) — > s' 

(Kiterl) (P*, s) — ► s 

(Kiter2) (P, s) — > s' & (P*, s') — > s" => (P* , s) — > s" 

(Kconcl) (P, s) — > s' & (P', s') — > s" ^ (P || P, s) — > s" 

(Kconc2) (P, s) — > s' & (P, «') — »- a" (P \\ P, s) — > s" 

4 States, traces, descriptions and atoms 

The framework is parametric in a set of computational states S. For example, an 
instantiation of the framework might choose £ to be the set of all functions map- 
ping variables into values. Let a, possibly with decorations, denote an element 
of E. 

The bulk of the framework uses E x E as the language alphabet. That is, the 
individual elements of a word are pairs of states. Such a word is called a trace. 
A set of traces, i.e. a language over E x E, is called a description. 

A description whose traces all have length one is called an atom. The atoms 
are isomorphic to the binary relations on states, which makes them suitable for 
modeling the state-transformation behaviour of the (possibly nondctcrministic) 
primitive operations of a high-level language. Let Atoms be the set of all atoms, 
ranged over by a. The next abbreviations simplify the presentation later on: 

a(a) d ^ {a'\[(a,a')]ea} 
a(S) ^ [j{a(a) | a G S} 

A trace t is internally consistent, written ic(t), when the states between adjacent 
pairs are equal: 

ic([}) d = True 
ic{[{o-,o-')}) d = True 

ic((a,a') : (a", a'") : t) d = a' = a" & ic((a" , a'") : t) 

A globally- viewed execution trace will always be internally consistent. From a 
local (e.g. thread) perspective, a trace might be inconsistent due to interfer- 
ence from the environment. The use of sequences of state pairs in compositional 
models of concurrency dates back to Park [TU] . 
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The following function gives the set of all internally consistent traces that 
end in a particular state: 

ic-traces-ending-in-state((j) = {t | ic(t) & 3t',a' : t = t' 4-f [((r',cr)]} 

It associates each state with a description. Note that for every state a, the set 
ic-traces-ending-in-state(o~) is non-empty, since for example [(a, a)] will always 
be a member. 

Let Inconsistent be the set of all traces that are not internally consistent. An 
inconsistency in a trace cannot be undone later on: Inconsistent ; P C Inconsistent 

5 Deductive calculi 

The framework simplifies partial-correctness reasoning by supporting the views 
framework of Dinsdale- Young and others [B] . This section explains concisely how 
and why views-based reasoning works. After giving the necessary background, 
it presents three calculi, where each calculus builds on its precursor. The first 
calculus builds on the abstract Hoare logic, and the development culminates in 
the full views calculus. 

5.1 Background: the views framework 

A view describes a set of computational states, and can be thought of as a 
special kind of assertion. Views are special because they can be composed with 
operators that enjoy specific algebraic properties: 

• ( Views, \=, V, A) i s a complete lattice. 

• ( Views, *, u) is a commutative monoid. 

• * distributes over \f: v * \f V = \J{v * v' | v' S V} 

• (Views, -<) is a preorder. 

• |=-closure: \=Q-< 

• V- C l° sure: (Vu € V : v -< v') => V V -< v' 

• Locality: v -< v' =^ v * v" -< v' * v" 

An erasure function [—J maps a view to the set of computational states it 
describes. Erasure must satisfy two properties: 

• Monotone: v -< v' => \v\ C [v'\ 

• Join-homomorphism: [\/V\ = {J{[v\ \ v 6 V} 

Finally, the views framework is parametric in a set Axioms C Views x 
Atoms x Views. The axioms describe how chosen atoms transform views. Each 
axiom must be sound in the following sense: 

• (v, a, v') € Axioms =>■ a( [v * v" \ ) C |_1>' * v" \ 
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5.2 Basic views calculus 

Each view is associated with the set of internally consistent traces that satisfy 
it at the end, i.e. the traces that establish the view: 

traces- of '-view (v) ^ f [J{ic-traces-ending-in-state(a) \ a £ lv\} 

This representation of views as descriptions plays nicely with erasure: 

Lemma 1. traces- of -view {v) C traces- of -view {v') 4=> \y\ C \y'\ 

The definition of the basic views triple uses the abstract Hoare triple and the 
mapping of views to descriptions: 

v <^P^$>v' d = (traces-of-view(v) U Inconsistent) {P} (traces- of '-view (v') U Inconsistent) 

The judgement ij-cP^i/ asserts that, whenever a trace that established v is 
extended with a trace of P in a consistent way, the resulting trace will estab- 
lish v'. 

The triple has a simple characterization when P is an atom: 
Lemma 2. v<a>u' <^> a([v\) C [v'\ 

Since the axioms are sound, and * has a unit, it is easy to prove: 

(Batom) (v, a, v') £ Axioms =>• ii-Ca^v' 

Several rules of the basic views calculus follow immediately as theorems from 
their counterparts in the abstract Hoare logic. In particular: 

(Bskip) v <C skip~^> v 

(Bseq) v<P>v' & v'-cP'W w<P;P'>i/' 

(Bchoice) (VP E X : v «P» v') => v<^[jx^>v' 

(Biter) ij<P>ij «<cP*>t; 

Because erasure is monotone, the rule of consequence follows from Lemma [1] 
and dH consl) : 

(Bcons) v -< v' & u'<P>u" & v" <v"' u<P>v"' 

Erasure is a join-homomorphism, which implies: 

Lemma 3. traces- of -view (\J V) = [J{traces-of-view(v) \ v G V} 

The basic rule of disjunction follows from (|Hcons[) . ( |Hdisj [ ) , Lemma [3] and the 
fact that Inconsistent ; P C Inconsistent. 

(Bdisj) (W £ V : w <P> u') => \/V <P> w' 

The judgement of the basic calculus is rather weak and easy to establish. 
This has two important consequences. Firstly, does not constrain the description 
(the middle operand of the triple) much, so the calculus has broad applicability. 
Secondly, it does not support reasoning that relies on stronger assumptions. The 
frame and concurrency rules are therefore missing from the basic calculus. The 
next two calculi will support more sophisticated reasoning by adopting stronger 
judgements. 
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5.3 Framing calculus 

The framing calculus supports top-level framing. Its judgement uses the judge- 
ment of the basic views calculus: 

v[P]v' d = W £ Views : (w * v") <P> («' * v") 

The judgement is stronger than the basic one because * has a unit. 

Theorem 1. v [P] v' =^ w<P>u' 

The rule for atoms follows from the soundness of the axioms and Lemma [2] 

(Fatom) (v, a, v ) S Axioms v [a] v' 

Several rules follow directly from the corresponding ones in the basic calculus: 
(Fskip) v [skip] v 

(Fseq) v[P]v' & v'[P']v" v[P;P']v" 

(Fchoice) (VP e X : v [P] v') => v [{J X] v' 

(Fiter) v [P] v => v[P*]v 

The rule of consequence holds by Locality and (|Bcons|) . 
(Fcons) v <v' & v' [P] v" & v" -< v" v [P] v" 

The rule ( |Bdisj[ ), together with the fact that * is commutative and distributes 
over \/, imply the rule of disjunction: 

(Fdisj) (W e V : v [P] v') => \J V [P] v' 

The frame rule follows from the associativity of *. 

(Fframc) v[P]v' =>■ v * v" [P] v' * v" 

The framing calculus supports only top-level framing - it docs not constrain 
what happens at the intermediate steps of a computation. Compositional rea- 
soning about concurrency usually demands internal framing, which ensures that 
concurrent components do not interfere with each other's views. The next cal- 
culus gains the concurrency rule by doing exactly this. 

5.4 Full views calculus 

The full views calculus does not reason directly about descriptions. Instead, 
users of the calculus (e.g. high-level languages) must represent a description as 
a command, which is a language over atoms. Factoring a description into atoms 
provides a simple way for the calculus to get a handle on its internal structure. 
As a result, the calculus can offer a compositional rule for concurrency. 

The mapping from commands to descriptions is straightforward. Every atom 
sequence has an associated trace set: 
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trace- set- of '-atom- sequenced]) = skip 

trace- set- of '-atom- sequenceia : as) d = f a ; trace- set- oj '-atom- sequencers) 

Likewise, every command also has a corresponding trace set, which is the de- 
scription it denotes: 

trace- set- of -command(C) d = [J{trace-set-of-atom-sequence(as) | as G C} 

Let a, when used as a command, denote the singleton language {[a]}- 

The judgement of the full views calculus uses an auxiliary judgement for 
atom sequences: 

v ifcWifc v ' d = v [skip] v' 

v #(a : as)# v' = f 3v" e Views : v [a] v" & v" #as# v' 

The definition of the main judgement quantifies over all the atom sequences of 
a command: 

{v}C{v'} d = Vas GC :v#as#v' 

The new judgements are stronger than the judgement of the framing calculus in 
the obvious sense. By induction on as, it follows from ( |Fscq[ ) that: 

Lemma 4. v#as#v' =>■ v [trace- set- of -atom- sequencers)] v' 

This lemma, together with (jFchoicep . imply: 

Theorem 2. {v}C{v'} => v [trace- set- of '- command (C)]v' 

Most rules of the full views calculus rely on lemmas about the auxiliary 
judgement. These lemmas are typically proved by induction on atom sequences. 
Standard mathematical machinery, such as induction, will not be mentioned in 
the text below. Only the important ingredients of a proof are made explicit, 
such as direct or indirect dependencies on the properties of views. If a rule 
immediately follows a lemma, then it is a trivial corollary. 

Using (|Fatom[) and ( |Fskip[ ), it is simple to establish: 

(Vatom) (v, a, v ) £ Axioms {v} a {v'} 

The rule ( |Fskip[ ) immediately implies: 
(Vskip) {v}skip{v} 
By QFscqD , it holds that: 

Lemma 5. i>#as#i>' & v' #as'#v" => v #(as -H- as')# v" 
(Vscq) {v}C{v'} & {v'}C'{v"} => {v}C;C"{v"} 

It is trivial to establish the rule for nondeterministic choice: 
(Vchoice) (VC e Y : {v} C {«'}) ^> {v} [JY {v'} 

By ( | Vskip [ ) and ( |Vscq[ ), the following lemma holds: 
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Lemma 6. {v}C{v} => {v} C n {v} 

This lemma, together with (|Vchoicc[) . imply the rule for iteration: 

(Viter) {v}C{v} => {v} C* {v} 

The rule (jFconsp and the reflexivity of -< can be used to prove: 

Lemma 7. v ~< v' & v' #as# v" & v" -< v'" v #as# v'" 

(Vcons) v<v' & {v'}C{v"} & v" < v'" => {v}C{v"'} 

Using ( jFdisjP , the fact that ( Views, \=, \/, /\) is a complete lattice, ^-closure, 
the reflexivity of -<, and (jFconsp . it is possible to establish: 

Lemma 8. (Vu E V : v #as# v') \J V #as# v' 

(Vdisj) (\/v e V : {v} C {v'}) => {Y^Cji;'} 

From (jFframcl) follows: 

Lemma 9. v #as# w' =4> (u * w") #as# (w' * w") 

(Vframc) {w}C{u'} ^ {v*v"} C {v' * v"} 

Using (IFframep . ( |FscqP and the commutativity of *, one can show: 

Lemma 10. vi#asi#v' 1 & V2# as 2# v 2 &c as £ asi®as 2 => (v^ * v 2 ) #as# (v[ * v' 2 ) 

This directly yields a compositional rule for concurrency: 

(Vconc) {wi}CiK} & {v 2 }C 2 {v' 2 } {vi * v 2 } C x || C 2 {v[ * v' 2 } 

6 Operational calculi 

Program execution can be investigated formally with operational calculi, which 
help to discover valid executions of programs. 

Small-step calculi, such as the Plotkin [TT] and Milner [T2] ones, are concerned 
with how a computation can unfold by performing (a sequence of) actions that 
are easy to implement in a computer. These calculi are therefore parametric in 
a set Atomic Operations C Atoms, whose elements model small atomic steps. 
For example, a hypothetical high-level language might include Boolean tests, 
variable assignments and heap operations in this set. The framework defines 
Actions in terms of Atomic Operations: 

Actions d = {skip} U AtomicOperations 

Think about skip is the trivial action that takes zero time to execute. It cannot 
change the computational state. In contrast to this, an action from AtomicOperations 
embodies real work and may transform the state. Think about its execution as 
taking, say, one time unit. 

Big-step calculi, such as the Kahn's natural semantics [13] (see [T3] for its 
application to imperative programming) , will usually include rules for executing 
selected actions. However, the emphasis is on the ultimate result of a computa- 
tion, and not on intermediate steps. 

This section develops operational calculi for descriptions and also for com- 
mands. 
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6.1 Descriptions 



The abstract Plotkin and Kahn calculi do not mention computational states 
explicitly. However, they can be instantiated to obtain the familiar versions. 

Plotkin calculus The judgement of the Plotkin calculus is defined in terms of 
the abstract one: 

(P, a) — > (P', a') = f 

3t G ic-traces- ending- in- state(cr),t' G ic- traces- ending- in- state(a') : (P, {t}) — > (P' , {t'}) 

It says that one way of executing P is to execute some action followed by P' . The 
action itself is hidden - only its effect on the state is explicit in the judgement. 

There is also an equivalent characterization, which expresses that what hap- 
pened before the initial state does not matter: 

Lemma 11. (P, a) — > (P 1 , a 1 ) <=> 

Vt G ic-traces- ending-in- state(a) : 3t' G ic-traces- ending- in- state(a') : (P, {t}) — > (P', {t'}) 

The rules of the Plotkin calculus are all easy to derive. A rule for atomic opera- 
tions follows from (jPactionl) : 

(PDatom) a G AtomicOperations & a 1 G a(a) => (a, a) — > (skip, a 1 ) 



Other rules are trivial consequences of their abstract counterparts. 



(PDseql) 


(skip ; P, a) — > (P, a) 






(PDseq2) 


(P, a) — ) 


■ (R, a') 




■>(P;P',a') 


(PDchoice) 


P G X -- 


=» (\JX,a)- 


(P, a) 




(PDiterl) 


(P*, a) - 


-> (skip, a) 






(PDiter2) 


(P*, a) - 


^(P;P*,<y) 






(PDconcl) 


(skip | P, 


a) — > (P, a) 






(PDconc2) 


(P || skip, 


a) — > (P, a) 






(PDconc3) 


(P, a) — ) 


■ (R, *') =► 


(•P II P', o) - 


-> (R || P', a') 


(PDconc4) 


(P, a) — ) 


■ O =► 


(P' II p, a) - 


-> (P' II ^ O 



The definitions of the iterated and reflexive transitive versions of the judgement 
are standard: 

(P, a) — >° (P', a') d = P = P' k a = a' 

(P, a) —> n+1 (P' , a') d = 3P",a" : (P, a) — ► (P", a") & (P" , a") — (P', </) 
(P, <r) — ►* (i* </) = f 3n : (P, a) — ►» (P>,a>) 
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Kahn calculus The judgement of the Kahn calculus is defined in terms of the 
abstract Kahn judgement: 

(P, a) — > a = 

3t G ic-traces-ending-in-state(a),t' G ic-traces-ending-in-state(a') : (P, {t}) — > 

It says that P has an internally consistent trace that can transform the initial 
state cr into the final state cr'. What brought about the initial state is again 
unimportant: 

Lemma 12. (P, cr) — > cr' <^> Vi G ic- traces- ending- in- state(cr) : 3t' G 
ic- traces- ending- in- state(a') : (P, {t}) — ► {<'} 

It is straightforward to obtain a rule for executing atomic operations: 
(KDatom) a G AtomicOperations & c G a(a) => (a, cr) — > cr' 
Other rules follow trivially from Lemma [T2l and their abstract counterparts: 



(KDskip) 


(skip, cr) — > a 










(KDseq) 


(P, cr) — > cr' & 




a'}- 


// 


(P;P',a) ^a" 


(KDchoice) 


P ex & (p, cr) 




/ 

(7 = 


» <U X > 


cr) — > cr' 


(KDiterl) 


(P*,a)^a 










(KDiter2) 


(P, a) — > a' & 


<P*, 




-w 


<P*, a) — > a" 


(KDconcl) 


(P, a) — > a' & 








(P || P', a) -> a" 


(KDconc2) 


(P' ; a) — ► a' & 








(P || P', a) -> a" 



Relationships The Plotkin judgement can be characterized in terms of the 
Milner and Kahn judgements: 

Lemma 13. (P, a) — ► (P', a') 4=> 3Q : P -% P' & (Q, cr) — ► a' 

This lemma makes it clear that the Plotkin judgement hides the action that 
effected the state change. 

An equivalent and perhaps more familiar formulation uses a function [— ] 
that captures the state-transformation behaviour of a description: 

[Pj(a) d = f {a' \ (P, a) ^ a'} 

Thus a' G |P](c) (P, cr) — > cr' , and the relationship of Lemma [TBI can 

be written as follows: 

(P, a) — > (P', a') ]Q:PAP' & a' G [Q](<r) 

Note that actions have simple state-transformation behaviour: [sfcipj(cr) = {cr} 
and [a](cr) = a(cr). 

Another relationship involves the Plotkin and Kahn judgements. The judge- 
ment (P, cr) — >* (skip, a 1 ) says that P can transform the initial state a into the 
final state cr': 
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Lemma 14. (P, cr) — >* (skip, cr') =>• (P, a) — > a' 

It also says that the input/output state transformations described by the re- 
flexive transitive closure of the Plotkin judgement only approximate those of 
the Kahn judgement. However, this does not mean that the Plotkin judgement 
is useless. It yields a calculus with interesting rules for concurrency, while the 
Kahn calculus has only trivial ones. Furthermore, the Plotkin calculus contains 
information about non-terminating behaviours that the Kahn calculus cannot 
describe. 



6.2 Commands 

Although a command is only a dressed-up description, it may be desirable to 
reason directly about its execution. Fortunately, the mapping from commands 
to descriptions has nice algebraic properties: 

Lemma 15 (Homomorphism). 

• trace- set- of -command (a) = a 

• trace- set- oj '-command [skip) = skip 

• trace- set- of -command{C ;C") = trace- set- of '-command(C) ; trace- set- of -command(C) 

• trace- set- of -command(\\ Y) = [J{trace-set-of-command(C) \ C G Y} 

• trace- set- of -command(C*) = trace- set- of -command(C)* 

• trace- set- of -command(C || C) = trace- set- of -command(C) \\ trace- set- of -command{C) 
This will make it easy to construct operational calculi for commands. 



Plotkin calculus The Plotkin judgement for commands is defined in terms of 
the one for descriptions: 

(C, cr) — > (C, a') d == f (trace- set- of -command(C), a) — > (trace- set- of '- command^ 1 ), a') 

Several rules for commands follow from the corresponding rules for descriptions 
and Lemma [T5l 

(PCatom) a £ AtomicOperations & a' € a{a) => (a, a) — > (skip, a') 
(PCscql) (skip ;C,a) — > (C, a) 

(PCscq2) (C, cr) — > (C, a') (C ; C" , a) — ► (C ; C", a') 

(PCchoicc) CeY => (^J Y, a) — > (C, a) 

(PCitcrl) (C*, cr) — > (skip, cr) 

(PCitcr2) (C* , cr) — ^ (C ; C* , cr) 

(PCconcl) (skip || C, a) — > (C, a) 

(PCconc2) (C || skip, a) — -> (C, a) 

(PCconc3) (C, a) — > (C, cr') ^ (C || C", a) — > (C || C" , a') 

(PCconc4) (C, a) — > (C, a') (C" || C, a) — > (C" || C", a') 

There arc also iterated and reflexive transitive versions of the judgement: 
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(C, a) — >° (C, cr') d = C = C k a = a' 

(C, a) (C, cr') d = 3C",a" : (C, cr) — > (C", a") k (C", a") —+ n (C, a') 

<C,<t>— ►* (Co*) dj * 3n:(C,a)^ n (C>,*>) 
and the following relationship holds: 
Lemma 16. (C, a) — >* (C, a'} => 

(trace- set- of -command(C), cr) — >* {trace- set- of '-command(C'), cr') 

Milner calculus The Milner judgement for commands uses the Milner judge- 
ment for descriptions: 

C^C" = trace-set-of -command(C) — > trace-set-of -command(C") 

The previous Milner rules and Lemma IT51 directly yield rules for commands: 



(MCatom) 


a G AtomicOperations 


a 


(MCseql) 


skip-C^C 






(MCseq2) 


c ^\c" =► 


r" 

C;Ci 


C" 


(MCchoice) 


C eY => (J 






(MCitcrl) 


C* — ? skip 






(MCiter2) 


ski]} q ^ ^jj. 






(MCconcl) 


skip \\C^C 






(MCconc2) 


C || skip ^ C 






(MCconc3) 


c ^\c" =► 


C || Ci — 


>c 


(MCconc4) 


c ^\c" => 


Ci || c — 





Kahn calculus Here is the Kahn judgement for commands: 
(C, cr) — > cr' d = (trace-set-of '- command (C) , a) — > a' 

As expected, Lemma IT51 is useful for deriving rules from the ones for descriptions: 



(KCatom) 


a G AtomicOperations 


k a' 


G a(o-) 


=>• (a, cr) — >• a' 


(KCskip) 


(skip, cr) — > a 










(KCseq) 


(C, a) —to 1 k 


(C, 


*')- 




(C;C',a)^a" 


(KCchoice) 


CeY k (C, a) 




a> =* 


• (U^ 


cr) —to 1 


(KCitcrl) 


(C*,o)^o 










(KCiter2) 


(C, a) — -> a' k 


(cr, 


J)- 


W 


(C*, a) — > a" 


(KCconcl) 


(C, a) —to 1 k 


(C, 


*')- 


^cr" 


(C || C", a) — > cr" 


(KCconc2) 


(C, a)— to 1 k 


(C, 


O- 


^cr" 


(C || C, cr) — > cr" 
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Relationships The Plotkin, Milner and Kahn judgements for commands enjoy 
a similar relationship as before: 

Lemma 17. (C, a) — -> (C, a') 3C" : C ^> C" & (C", a) — > <r' 

This can also be formulated in terms of a state-transformation function for com- 
mands: 

lCj(a) d = f K | (C, a) -> a'} 

Note that [CJ = \trace-set-of-command{C)\, so Lemma ITS! can help to charac- 
terize the state-transformation behaviour of commands as e.g. equations. 
A familiar relationship holds between the Plotkin and Kahn judgements: 

Lemma 18. (C, a) — >* (skip, a'} => (C, a) — ► a' 

It is a direct consequence of Lemmas [T6l [15] and [14J 

7 Consistency of deductive and operational calculi 

The deductive calculi give the standard partial correctness guarantees, and are 
in this sense consistent with respect to the operational calculi. To establish this 
formally, it helps to start with the weakest deductive and operational judge- 
ments. The proof of the consistency of the basic views calculus and the Kahn 
calculus is straightforward. 

Theorem 3. u<P»u / =>■ (Vcr e [v\ : (P, a) — > a 1 => a' E [v' \ ) 

Together with earlier definitions and results, this theorem simplifies the proofs 
of other consistency statements. For example, the following statement is an im- 
mediate consequence: 

Corollary 1. u<P>?/ => (Vcr G [v\ : [Pj(a) C [v'\) 

Lemma Q3] renders the consistency of the basic views calculus and the Plotkin 
calculus trivial: 

Corollary 2. u<P>?/ =>■ (Vcr G [v\ : (P, a) — >* (skip, a') => a' G 

KJ) 

The consistency of the framing calculus follows by Theorem [TJ 
Corollary 3. v [P] v' => (Vcr G [v\ : (P, a) — > a' => a 1 G [v' \ ) 
Corollary 4. v [P] v' => (Vcr e [v\ : |P](cr) C [v'\) 

Corollary 5. v [P] v' => (Vcr G [v\ : (P, a) — >* (skip, a') => a' G [v'\) 

The full views calculus is also consistent with respect to the operational 
calculi. It is a consequence of Theorem [5] and Lemma fTSl 

Corollary 6. {v}C{v'} (V<r G L"J = (C, a) — > a 1 a 1 6 |yj) 

Corollary 7. {v}C{w'} (Vcr g [«J : [C](cr) C |yj) 

Corollary 8. {v}C{w'} =► (Vcr g [«J = (C, cr) — ►* («**P, </) a' G 

KJ) 
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8 Conclusion 



The framework is exactly what its name suggests - a scaffolding for modeling 
high-level languages and reasoning about them. Users can choose the state space, 
views, and the primitive atomic operations. The framework provides common 
programming operators, such as concurrent and sequential composition, non- 
deterministic choice and iteration. These operators obey a rich set of algebraic 
laws, and can be combined to model high-level language constructs such as con- 
ditionals and while-loops. The framework provides deductive and operational 
reasoning for free. 

The deductive and operational calculi are largely decoupled, yet still con- 
sistent with each other. This consistency is robust with respect to the exact 
operational rules. For example, it is perfectly acceptable to add the rule: 

(PDfuturechoice) (P ; (P' U P"), a) — >{P;P', a) 

As long as a new rule is a theorem, it cannot contradict the deductive calculi. 
The consistency is parametric in AtomicOperations , so it does not even depend 
on the exact choice of the primitive machine-executable operations. 

The fact that everything is simple mathematics will hopefully encourage re- 
searchers and practitioners to propose extensions to the framework. It appears 
likely that other deductive reasoning techniques for concurrency will be devel- 
oped in the future, and fitting them into this framework might clearly show why 
they work. Just like views-based reasoning, a method might require a new judge- 
ment, proofs that its rules are theorems, and a demonstration of its consistency 
with respect to the operational calculi. The framework also makes it possible to 
justify new program optimizations and calculi for program execution. 
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Appendix: Recursion 

Recursion is fundamental to procedure and loop mechanisms of high-level lan- 
guages. The framework allows a standard treatment of recursion, on the level of 
descriptions and also on the level of commands, in terms of monotone functions 
and least fixpoints. It validates the usual deductive and operational rules for 
recursion, which is the main topic of this section. 

The Knaster-Tarski theorem says that every monotone function / on a com- 
plete lattice has a least fixpoint Ifp f (also written fix.f(x)), and that: 

lfpf = f]{P\f(P)^P} 
Deductive rules 

Suppose a deductive calculus has the following properties: 

1. The programs (e.g. descriptions or commands) form a complete lattice. 

2. A choice rule holds: showing that all elements of an arbitrary set satisfy a 
pre/post specification is sufficient for the least upper bound of the set to 
satisfy it. 
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3. Triples are downward-closed in the middle (i.e. program) argument. 

Then the weakest satisfiers of pre/post specifications (i.e. specification state- 
ments) exist, and the usual rule for recursion is readily proved with the Knaster- 
Tarski theorem. (This technique is also applied elsewhere, e.g. in [T5].) 

The abstract Hoare logic and all three deductive calculi for views have these 
properties. So the following rules, where / in each of them is a monotone function 
of an appropriate type, are all theorems: 



(Hrec) 


(VQ 


P{Q}R = 


> P{f(Q)}R) = 


> P{lf P f}R 


(Brec) 


(VP 


v<P>t/ 


u<C/(P)W) 


=> v-^lfpf^v 


(Free) 


(VP 


v [P] v' => 


v[f(P)]v') => 


v[lfpf] v 1 


(Vrcc) 


(VC 


{v}C{v'} 


=> {v}f(C){v>}) 


=> W ifpfW} 



Operational rules 

The operational rules for recursion rely on the fact that the least fixpoint of a 
function is a fixpoint, i.e. Ifpf = f(lfp /), and some additionally use the action 
skip to unroll recursion. The rules of the abstract, description and command 
calculi look similar and all of them have straightforward proofs. Assume that / 
is a monotone function on commands in the following rules: 

(PCrec) (f(lfpf),<r)^(C,a') (Ifp f , a) — ► (C, a') 

(PCrec') (lf P f,a) (f(lfr f), <r) 

(MCrec) f(lfpf) C => (Ifp /) A C 

(MCrec') {Ifp f) ^ f (Ifp f) 

(KCrec) (f(lfpf),a)^a' (Ifp f , a) — > a' 



Further remarks 

The Knaster-Tarski characterization of the least fixpoint and the Kleene star 
laws imply that iteration is a special case of recursion: 

Lemma 19. P* = Ifp (Xx . skip U (P ; x)) 

The monotonicity of the function (Ax . skip U (P ; x)) follows from the monoto- 
nicity of (U) and (;). It is possible to derive the rules for iteration by using the 
ones for recursion. 

Users of the framework can also apply the Kleene fixpoint theorem, which 
provides an alternative characterization of the least fixpoint of some functions. 
It uses the auxiliary notions of directed sets (of languages) and Scott-continuity: 

directed(X) = f X ^ & (VP £ X, Q E X : 3R E X : P C R & Q C R) 
Scott- continuous(f) d = VX : directed(X) f([jX) = \J{f( p ) p e X} 
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The theorem says that if / is Scott-continuous (and therefore monotone), then: 
lfpf = [J{f n (±)\neN} 

The composition of Scott-continuous functions is again Scott-continuous, and it 
is simple to prove the Scott-continuity of (;), (U), (||) and the Kleene star. 
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